@tdurieux/anonymous_github Vulnerable to XSS via Unsanitized GitHub Repository Content Rendering in Anonymous GitHub Origin

Summary Anonymous GitHub fetches repository content e.g., markdown files from GitHub's API and renders it without sanitization. On the client side, markdown is parsed with marked with sanitize: false and injected into the DOM via $sce.trustAsHtml + ng-bind-html, bypassing AngularJS's built-in XSS...

PT-2026-37310

Name of the Vulnerable Software and Affected Versions YetAnotherForum.NET YAF.NET versions prior to 4.0.5 YetAnotherForum.NET YAF.NET versions prior to 3.2.12 Description The thread posting and reply feature allows user-supplied content to be stored server-side and rendered on the thread page...

PT-2026-37309

Name of the Vulnerable Software and Affected Versions YetAnotherForum.NET YAF.NET versions prior to 4.0.5 YetAnotherForum.NET YAF.NET versions prior to 3.2.12 Description Stored Cross-Site Scripting XSS occurs when attacker-controlled input is persisted and later rendered without proper...

PT-2026-37292

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 29.1 Description An issue exists where the endpoint "/objects/notifySubscribers.json.php" accepts a raw message POST parameter and passes it to the sendSiteEmail function. This function substitutes the input...

Google Chrome 安全漏洞

Google Chrome is a web browser developed by Google Inc. Versions of Google Chrome prior to 148.0.7778.96 contained a security vulnerability, which was caused by improper implementation in ServiceWorkers. This vulnerability could allow remote attackers who have compromised rendering processes to...

Google Chrome 安全漏洞

Google Chrome is a web browser developed by Google Inc. Versions of Google Chrome prior to 148.0.7778.96 contained a security vulnerability. This vulnerability stemmed from improper implementations in Cast, and could allow remote attackers with access to the damaged rendering process to bypass...

Google Chrome 安全漏洞

Google Chrome is a web browser developed by Google Inc. Versions of Google Chrome prior to 148.0.7778.96 contained a security vulnerability. This vulnerability stemmed from insufficient execution of WebUI policies, which could allow remote attackers with access to the rendering process to bypass...

Google Chrome 输入验证错误漏洞

Google Chrome is a web browser developed by Google Inc. Versions of Google Chrome prior to 148.0.7778.96 contained a vulnerability related to input validation errors. This vulnerability stemmed from insufficient trusted input validation in SiteIsolation, which could allow remote attackers with...

PT-2026-37247

Name of the Vulnerable Software and Affected Versions LobeHub versions prior to 2.1.48 Description A stored cross-site scripting XSS issue exists in the message rendering mechanism. When processing custom tags in the src/features/Portal/Artifacts/Body/Renderer/index.tsx render process, the softwa...

Google Chrome 资源管理错误漏洞

Google Chrome is a web browser developed by Google Inc. Versions of Google Chrome prior to 148.0.7778.96 contained a resource management vulnerability. This vulnerability stemmed from the reusing of resources after they were released in Aura, which could allow remote attackers who have compromise...

Insecure Inherited Permissions

Overview Affected versions of this package are vulnerable to Insecure Inherited Permissions when handling public methods on ViewComponent::Preview, which are treated as reachable even if the methods are not explicitly allowed, in renderwithtemplate. An attacker can render internal Rails templates...

CVE-2026-31784

A flaw was found in the Linux kernel's drm/xe/pxp component. An issue exists where a restart flag in the pxpstart function is not properly cleared. This oversight can cause the function to continuously loop, potentially leading to a system hang or crash, resulting in a Denial of Service DoS...

Imagination Graphics DDK 资源管理错误漏洞

Imagination Graphics DDK is a suite of GPU driver tools from Imagination UK. The Imagination Graphics DDK suffers from a Resource Management Error vulnerability that originates when WebGPU content is loaded into the GPU GLES rendering process triggering a write-release-after-reuse crash, which...

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in the Linux kernel that stems from a failure to deny a write to a read-only VMA in the drm/xe page error handling, which could lead to elevatio...

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in the Linux kernel that stems from a failure to perform boundary checks on user control pointers in drm-compatible ioctl paths, which could lea...

Imagination Graphics DDK 资源管理错误漏洞

Imagination Graphics DDK is a suite of GPU driver tools from Imagination UK. The Imagination Graphics DDK suffers from a resource management error vulnerability that stems from a write-release-after-reuse crash triggered when WebGPU content is loaded into the GPU GLES rendering process, which cou...

PT-2026-36419

In the Linux kernel, the following vulnerability has been resolved: drm/xe/pxp: Clear restart flag in pxp start after jumping back If we don't clear the flag we'll keep jumping back at the beginning of the function once we reach the end. cherry picked from commit...

CVE-2026-3346 Stored Cross-Site Scripting (XSS) in Langflow Markdown Rendering via rehypeRaw

IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted...

CVE-2026-3346 Stored Cross-Site Scripting (XSS) in Langflow Markdown Rendering via rehypeRaw

IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted...

CVE-2026-3346

Summary: CVE-2026-3346 affects IBM Langflow Desktop 1.6.0–1.8.4. Affected component is the Markdown rendering pipeline via rehypeRaw, where unsafe handling allows an authenticated user to inject arbitrary JavaScript through a stored XSS vector, potentially leading to credentials disclosure within...